bormaa
commented
8 months ago The solution was downgrading the yara-python to 4.2.0
Closed bormaa closed 8 months ago
bormaa
commented
8 months ago The solution was downgrading the yara-python to 4.2.0
nazywam
commented
8 months ago I think you may be running an outdated version of malduck. The issue you encountered was fixed in v4.3.2 - https://github.com/CERT-Polska/malduck/pull/94
Could you verify/confirm it so we can close this issue?
bormaa
commented
8 months ago It is malduck 4.3.0 We can close issue now
When i use karton-config-extractor it throws error
{ "error": [ "Traceback (most recent call last):\n", " File \"/usr/local/lib/python3.9/site-packages/karton/core/karton.py\", line 181, in internal_process\n self.process(self.current_task)\n", " File \"/usr/local/lib/python3.9/site-packages/karton/config_extractor/config_extractor.py\", line 259, in process\n self.analyze_sample(task, sample)\n", " File \"/usr/local/lib/python3.9/site-packages/karton/config_extractor/config_extractor.py\", line 171, in analyze_sample\n extractor.push_file(temp.name)\n", " File \"/usr/local/lib/python3.9/site-packages/malduck/extractor/extract_manager.py\", line 200, in push_file\n return self.push_procmem(p, rip_binaries=True)\n", " File \"/usr/local/lib/python3.9/site-packages/malduck/extractor/extract_manager.py\", line 234, in push_procmem\n matches = p.yarav(self.rules, extended=True)\n", " File \"/usr/local/lib/python3.9/site-packages/malduck/procmem/procmem.py\", line 815, in yarav\n return ruleset.match(\n", " File \"/usr/local/lib/python3.9/site-packages/malduck/yara.py\", line 191, in match\n matches = YaraRulesetMatch(\n", " File \"/usr/local/lib/python3.9/site-packages/malduck/yara.py\", line 245, in init\n super().init(elements=self._map_matches(matches, offset_mapper))\n", " File \"/usr/local/lib/python3.9/site-packages/malduck/yara.py\", line 248, in _map_matches\n mapped_matches = [\n", " File \"/usr/local/lib/python3.9/site-packages/malduck/yara.py\", line 249, in\n (match, self._map_strings(match.strings, offset_mapper))\n",
" File \"/usr/local/lib/python3.9/site-packages/malduck/yara.py\", line 262, in _map_strings\n for offset, identifier, content in strings:\n",
"TypeError: cannot unpack non-iterable yara.StringMatch object\n"
],
"headers": {
"extension": "exe",
"kind": "runnable",
"mime": "application/vnd.microsoft.portable-executable",
"origin": "karton.classifier",
"platform": "win32",
"quality": "high",
"receiver": "karton.config-extractor",
"share_3rd_party": true,
"stage": "recognized",
"type": "sample"
},
"last_update": 1703428860.771125,
"orig_uid": "25857092-d448-4e9d-bfa5-ae780188a527",
"parent_uid": "757777d1-3d09-4c35-94c1-ae883071accb",
"payload": {
"extraction_level": 1,
"magic": "PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections",
"parent": {
"karton_resource": {
"bucket": "karton",
"flags": [],
"metadata": {
"sha256": "f4959f2caaa616704c7810840e6fabe646b2be27e728c2363d721b42771bbac6"
},
"name": "f4959f2caaa616704c7810840e6fabe646b2be27e728c2363d721b42771bbac6",
"sha256": "f4959f2caaa616704c7810840e6fabe646b2be27e728c2363d721b42771bbac6",
"size": 14794523,
"uid": "97db86c1-438f-4799-84c7-57e6706e9aeb"
}
},
"sample": {
"karton_resource": {
"bucket": "karton",
"flags": [],
"metadata": {
"sha256": "8ac3491b1b780ca4a8d27e0f729b123473f1eab7f6e918a803197769467ddb91"
},
"name": "DarkComet Fixed.exe",
"sha256": "8ac3491b1b780ca4a8d27e0f729b123473f1eab7f6e918a803197769467ddb91",
"size": 12767232,
"uid": "3c085be9-028c-42f8-8b5d-e9d3e080aeef"
}
},
"tags": [
"runnable:win32:exe"
]
},
"payload_persistent": {
"__headers_persistent": {
"quality": "high",
"share_3rd_party": true
}
},
"priority": "normal",
"root_uid": "4fe01bc1-1742-4496-a960-13f3a9a718e0",
"status": "Crashed",
"uid": "73191965-3baf-4f2c-bb75-a48056649838"
}